Solved

Split Tunnel VPN to bypass Chinese Sensorship

Posted on 2014-01-08
4
710 Views
Last Modified: 2014-01-14
My company has an office in China.  The great firewall of China often gets in the way of our western employees accessing sites that they need to work.  Some sites are completely blocked, others have their capability degraded to the point where they can be hardly used (such as Gmail).

We have a Sonicwall TZ170 in both Ottawa, Canada and Dongguan, China.  We have a VPN connection established between the sites.  I have tried routing all the traffic from Dongguan to Ottawa and this works, but it is far too slow to be practical.  

I am looking for a way to split the traffic so that restricted sites go through the VPN and unrestricted sites go through the Chinese internet.  Any suggestions?

Also, we have used various VPN services on the client machines and these work well.  But I would rather have something centrally managed.  Is there a way to route specific traffic through a 3rd party VPN?

Running Windows 2012 servers pretty much through and through.
0
Comment
Question by:encoad
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 70

Expert Comment

by:Qlemo
ID: 39766723
» Is there a way to route specific traffic through a 3rd party VPN?
Usually the answer has to be "no". VPN clients are not intended to route traffic. I've managed to force Cisco (IPSec) VPN client and Windows RRAS into proper routing (see http://www.experts-exchange.com/A_350.html for details). Most other VPN clients do not use a virtual network interface you can see in RRAS, and so that will not work for them.

» I am looking for a way to split the traffic so that restricted sites go through the VPN and unrestricted sites go through the Chinese internet.  Any suggestions?
Difficult to achieve. You'll have to route on target IP address. Unless the SonicWALL supplies wildcard routing via policy-based routing, to redirect all *.com, for example.
0
 

Author Comment

by:encoad
ID: 39766769
Is there some (relatively) inexpensive hardware that can help me achieve what I want? (either replacing or supplementing the Sonicwall).

The Sonicwall handle wildcard netmasks, but cannot do anything with specific domains.

We use VPN connections like PureVPN which works great, but I need this at the network level as opposed to the client level.

In my dreamworld, all domains owned by Google would go through PureVPN for example.
0
 
LVL 70

Expert Comment

by:Qlemo
ID: 39766855
Nothing you can set up easily will help you in your mission. And I can't tell anything about PureVPN - the info they provide is confusing, but the protocols they use would all allow for routing, if the client does. If it works with the MS VPN (PPTP, SSTP, L2TP/IPSec) or the default Open Source OpenVPN client, making a Windows machine a router is feasible.

Still all solutions would require you to divert by IP addresses, not names. And that is the main issue. But Google US has some fixed IP ranges, so that would be managable. You would have to define the specific routing on a single point, best on your default gateway, and that usage would be transparent, no need to set up more on clients.

IDK, but a Web Proxy could also be able to apply domain specific rules - maybe even routing.
0
 
LVL 20

Accepted Solution

by:
carlmd earned 500 total points
ID: 39767662
Take a look at the following. Even though it is older, it should help you route the traffic.


https://www.fuzeqna.com/sonicwallkb/ext/kbdetail.aspx?kbid=5243
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question